… "In
practice, it can give an attacker complete control over an
individual's work laptop, despite even the most extensive security
measures."

The
problem is that setting a BIOS password (standard procedure) does not
usually prevent access to the AMT BIOS extension – the Intel
Management Engine BIOS Extension (MEBx). Unless this separate
password is changed, and usually it is not, the
default 'admin' password will give the attacker access to AMT.

The Russian hackers who stole emails from
the Democratic National Committee as part of a campaign to interfere
in the 2016 election have been trying to steal information from the
U.S. Senate, according to a report published Friday by a computer
security firm.

Beginning last June, the Russian hackers
set up websites that were meant to look like an email system
available only to people using the Senate’s internal computer
network, said the report by Trend Micro Inc. The sites were designed
to trick people into divulging their personal credentials, such as
usernames and passwords.

Furthermore,
end-to-end encryption is also applied to any files users send to
their conversational partners, including images, audio files, and
videos. Not only will the contents of these conversations be hidden
in the chat list, but they won’t appear in notifications either, to
keep user’s information private.

Private
Conversations, Kilbourne explains in a post,
is using the industry standard Signal Protocol by Open Whisper
Systems. The protocol is already providing end-to-end encryption to
users of popular messaging applications such as Signal,
WhatsApp,
and Facebook
Messenger.

… The evolution of the auto industry is
similar in form to the currently nascent world of artificial
intelligence . And like the auto industry, in order for AI to
flourish, organizations must adopt and embrace a prerequisite set of
conditions, or building blocks. For example, AI requires machine
learning, machine learning requires analytics, and analytics requires
the right data and information architecture (IA). In other words,
there is no AI without IA. These capabilities form the solid rungs
of what we call the “AI Ladder” — the increasing levels of
analytic sophistication that lead to, and buttress, a thriving AI
environment.

I want to talk this through with my Data
Management class. Think of what is required to implement it?

The U.S. Supreme Court will consider freeing state
and local governments to collect billions of dollars in sales taxes
from online retailers, agreeing to revisit a 26-year-old ruling that
has made much of the internet a tax-free zone.

Heeding calls from traditional retailers and
dozens of states, the justices said they’ll hear South Dakota’s
contention that the 1992 ruling is obsolete in the e-commerce era and
should be overturned.

A
security vulnerability impacting macOS High Sierra allows admins to
unlock the AppStore Preferences in System Preferences by providing
any password.

The
issue was found to affect macOS 10.13.2, the latest iteration of the
platform, and can be reproduced only if the user is logged in as
administrator. For non-admin accounts, the correct credentials are
necessary to unlock the preferences pane.

macOS
High Sierra 10.13.2 users interested in reproducing the
bug should log into their machines as administrators, then
navigate to the App Store preferences in System Preferences.

Next,
users should click on the padlock icon to lock it if necessary, then
click it again. When
prompted to enter the login credentials, they can use any password
and still unlock the Prefpane.

Interesting.
Prepare a dossier by stealing data online (or maybe just the Equifax
data?) and use it to construct a plausible case for infidelity.
Would it seem more real if it came by mail?

KrebsOnSecurity heard from a reader whose friend
recently received a remarkably customized extortion letter via snail
mail that threatened to tell the recipient’s wife about his
supposed extramarital affairs unless he paid $3,600 in bitcoin. The
friend said he had nothing to hide and suspects this is part of a
random but well-crafted campaign to prey on men who may have a guilty
conscience.

The letter addressed the recipient by his first
name and hometown throughout, and claimed to have evidence of the
supposed dalliances.

… Of course, sending extortion letters via
postal mail is mail
fraud, a crime which carries severe penalties (fines of up to $1
million and up to 30 years in jail). However, as the extortionist
rightly notes in his letter, the likelihood that authorities would
ever be able to catch him is probably low.

The last time I heard of or saw this type of
targeted extortion by mail was in the wake of the 2015
breach at online cheating site AshleyMadison.com. But those
attempts made more sense to me since obviously many AshleyMadison
users quite clearly did have an affair to hide.

… I opted not to publish a scan of the letter
here because it was double-sided and redacting names, etc. gets dicey
thanks to photo and image manipulation tools. Here’s
a transcription of it instead (PDF).

In the most recent object lesson in a data breach
privilege case, a federal appeals court has ordered a Michigan-based
mortgage lender to turn over privileged forensic investigatory
documents after the investigator’s conclusions were revealed in
discovery.

… In an interrogatory response, United Shore
said that it retained a forensic firm – through counsel – to
investigate the breach that had concluded XMS’s action caused the
intrusions. The interrogatory stated that its forensic investigator
determined that “certain files stored in XMS’s … system had
been accessed without authorization … in plain violation of
established security protocols.” United Shore disclosed more than
150 non-privileged documents concerning the investigation, but it
withheld additional documents based on the attorney client privilege.

District Court Ruling. XMS moved to
compel United Shore to produce the privileged documents, arguing that
it implicitly waived the attorney-client privilege by referencing its
investigator’s conclusions in its discovery response.

The district court agreed.
It concluded that United Shore not only disclosed that its
investigator "conducted an investigation ... [but] also
provided...conclusions from that investigation.”

Would we pass a law like this if we were starting
from zero today? Probably not.

The House of Representatives voted on Thursday to
extend the National Security Agency’s warrantless surveillance
program for six years with minimal changes, rejecting a push by a
bipartisan group of lawmakers to impose significant privacy limits
when it sweeps up Americans’ emails and other personal
communications.

The vote, 256 to 164, centered on an expiring law
that permits the government, without a warrant, to collect
communications from United States companies like Google and AT&T
of foreigners abroad — even when those targets are talking to
Americans.

Law is complex. Is there any place to ask about a
topic and get answers that point out differences in all 50 states?

Connecticut’s highest court ruled
Thursday on an issue that most people may think is already settled,
saying doctors have a duty to keep patients’ medical records
confidential and can be sued if they don’t.

The Supreme Court’s 6-0 decision
overturned the ruling of a lower court judge who said Connecticut had
yet to recognize doctor-patient confidentiality.

The high court’s ruling reinstated a
lawsuit by former New Canaan resident Emily Byrne against the Avery
Center for Obstetrics & Gynecology in Westport.

Read more on
Boston
Herald, while I scratch my head over this one. Connecticut
health law never required confidentiality? Seriously? From reading
the rest of the article, it sounds like the center had a pretty clear
privacy policy that made it clear that they might disclose in
response to subpoenas, but even so…..

So for all this time, mental health patients in
Connecticut had no enforceable right to confidentiality? Or was
there an exception for mental health?

How could this be????

Governments do not do IT well. (I may have said
that a few hundred times.)

“Most of the 22 selected agencies did not
identify all of their information technology (IT) contracts. The
selected agencies identified 78,249 IT-related contracts, to which
they obligated $14.7 billion in fiscal year 2016. However, GAO
identified 31,493 additional contracts with $4.5 billion obligated,
raising the total amount obligated to IT contracts in fiscal year
2016 to at least $19.2 billion (see figure). The percentage of
additional IT contract obligations GAO identified varied among the
selected agencies. For example, the Department of State did not
identify 1 percent of its IT contract obligations. Conversely, 8
agencies did not identify over 40 percent of their IT-related
contract obligations. Many of the selected agencies that
did not identify these IT acquisitions did not follow Office of
Management and Budget’s (OMB) guidance.

... agencies will likely miss an opportunity to
strengthen CIOs’ authority and the oversight of IT acquisitions.
As a result, agencies may award IT contracts that are duplicative,
wasteful, or poorly conceived.”

Fiat Chrysler Automobiles said on Thursday it will
shift production of Ram heavy-duty pickup trucks from Mexico to
Michigan in 2020, a move that lowers the risk to the automaker’s
profit should President Donald Trump pull the United States out of
the North American Free Trade Agreement.

Introducing the all-new Voice
Dictation v2.0, a speech recognition app that lets you type with
your voice. There’s no software to install, there’s no training
required and all you need is Google Chrome on your Windows PC, Mac OS
or Linux.

Dictation can recognize spoken words in English,
Hindi, Español, Italiano, Deutsch, Français, and all the other
popular languages.
Another unique feature of Dictation is support for voice
commands that let you do more with your voice. For instance, you
can say a command like new line or nueva línea for
inserting lines. You can add punctuations, special symbols and even
smileys using simple commands in most languages.

Thursday, January 11, 2018

A
group of hackers linked to Russia has leaked several emails
apparently exchanged between officials of the International Olympic
Committee (IOC) and other individuals involved with the Olympics.
The leak comes in response to Russia being banned from the upcoming
Pyeongchang 2018 Winter Games in South Korea.

The
group, calling itself Fancy Bears and claiming to be a team of
hacktivists that “stand for fair play and clean sport,”
previously released confidential athlete medical records stolen from
the systems of the World Anti-Doping Agency (WADA),
and also targeted the International Association of Athletics
Federations (IAAF).
One of their most recent leaks included emails
and medical records related to football (soccer) players who used
illegal substances.

The
first leaks from Fancy Bears came shortly after Russian athletes were
banned from the 2016 Rio Olympics following reports that Russia had
been operating a state-sponsored doping program.

While
Fancy Bears claim to be hacktivists, researchers have found ties
between the group and Fancy Bear, a sophisticated Russian cyber
espionage team also known as APT28, Pawn Storm, Sednit, Sofacy, Tsar
Team and Strontium.

The
latest leak includes emails apparently exchanged between IOC
officials and other individuals involved with the Olympics. Some of
the messages discuss the recent decision to ban
Russia from the upcoming Winter Games based on the findings of
the IOC Disciplinary Commission.

… While
the hackers claim the emails they leaked prove the accusations, a
majority of the messages don’t appear to contain anything critical.
Furthermore, Olympics-related organizations whose systems were
previously breached by the hackers claimed at the time that some of
the leaked files had been doctored.

In May 2015 about 10 investigators for the Quebec
tax authority burst into Uber
Technologies Inc.’s office in Montreal. The authorities
believed Uber had violated tax laws and had a warrant to collect
evidence. Managers on-site knew what to do, say people with
knowledge of the event.

Like managers at Uber’s hundreds of offices
abroad, they’d been trained to page a number that alerted specially
trained staff at company headquarters in San Francisco. When the
call came in, staffers quickly remotely logged off every computer in
the Montreal office, making it practically impossible for the
authorities to retrieve the company records they’d obtained a
warrant to collect. The investigators left without any evidence.

“United States Senators Elizabeth Warren
(D-Mass.) and Mark Warner (D-Va.) today introduced the Data Breach
Prevention and Compensation Act to hold large credit reporting
agencies (CRAs) – including Equifax – accountable for data
breaches involving consumer data. The bill would give the Federal
Trade Commission (FTC) more direct supervisory authority over data
security at CRAs, impose mandatory penalties on CRAs to incentivize
adequate protection of consumer data, and provide robust compensation
to consumers for stolen data. In September 2017, Equifax announced
that hackers had stolen sensitive personal information – including
Social Security Numbers, birth dates, credit card numbers, driver’s
license numbers, and passport numbers – of over 145 million
Americans. The attack
highlighted that CRAs hold vast amounts of data on millions of
Americans but lack adequate safeguards against hackers.
Since 2013, Equifax has disclosed at least four separate hacks in
which sensitive personal data were compromised. The Data Breach
Prevention and Compensation Act would establish an Office of
Cybersecurity at the FTC tasked with annual inspections and
supervision of cybersecurity at CRAs. It would impose mandatory,
strict liability penalties for breaches of consumer data beginning
with a base penalty of $100
for each consumer who had one piece of personal identifying
information (PII) compromised and another $50 for each additional PII
compromised per consumer. Under this legislation, Equifax
would have had to pay at least a $1.5 billion penalty for their
failure to protect Americans’ personal information. To ensure
robust recovery for affected consumers, the bill would also require
the FTC to use 50% of its penalty to compensate consumers and would
increase penalties in cases of woefully inadequate cybersecurity or
if a CRA fails to timely notify the FTC of a breach.”

… One day this autumn, an Acela pulls into
Newark, N.J., and a railway spokesman escorts me onto the rear engine
car, where we stand and take in the view facing backward. As we
descend into one of the Hudson tunnels—there are two, both 107
years old, finished in the
same year the Wright brothers built their first airplane factory—a
supervisor flips on the rear headlights, illuminating the ghastly
tubes.

“By one recent estimate about 8.9 percent of
Americans, or about 29 million people, lack access to wired home
“broadband” service, which the U.S. Federal Communications
Commission defines as an internet access connection providing speeds
of at least 25 Mbps download and 3 Mbps upload. Even where home
broadband is available, high prices inhibit adoption; in one national
survey, 33 percent of non-subscribers cited cost of service as the
primary barrier. Municipally and other community-owned networks have
been proposed as a driver of competition and resulting better service
and prices. We examined prices advertised by a subset of
community-owned networks that use fiber-to-the-home (FTTH)
technology. In late 2015 and 2016 we collected advertised prices for
residential data plans offered by 40 community-owned (typically
municipally-owned) FTTH networks. We then identified the
least-expensive service that meets the federal definition of
broadband (regardless of the exact speeds provided) and compared
advertised prices to those of private competitors in the same
markets. We were able to make comparisons in 27 communities and
found that in 23 cases, the community-owned FTTH providers’ pricing
was lower when the service costs and fees were averaged over four
years. (Using a three year-average changed this fraction to 22 out
of 27.) In the other 13 communities, comparisons were not possible,
either because the private providers’ website terms of service
deterred or prohibited data collection or because no competitor
offered service that qualified as broadband. We also found that
almost all community-owned FTTH networks offered prices that were
clear and unchanging, whereas private ISPs typically charged initial
low promotional or “teaser” rates that later sharply rose,
usually after 12 months. We made the incidental finding that Comcast
advertised different prices and terms for the same service in
different regions. We do not have enough information to draw
conclusions about the impacts of these practices. In general, our
ability to study broadband pricing was constrained by the lack of
standardization in internet service offerings and a shortage of
available data. The FCC doesn’t collect data from ISPs on
advertised prices, prices actually charged, service availability by
address, consumer adoption by address, or the length of time
consumers retain service.”

The
Atlantic – “This moment was inevitable. It just wasn’t
supposed to happen so soon. Due to the inexorable aging of the
country—and equally unstoppable growth in medical spending—it was
long obvious that health-care jobs would slowly take up more and more
of the economy. But in the last quarter, for the first time in
history, health care has surpassed manufacturing and retail, the most
significant job engines of the 20th century, to become the largest
source of jobs in the U.S. In 2000, there were 7 million more
workers in manufacturing than in health care. At the beginning of
the Great Recession, there were 2.4 million more workers in retail
than health care. In 2017, health care surpassed both. There are
several drivers of the health-care jobs boom. The first is something
so obvious that it might actually be underrated, since it is
rarely a proper news story in its own right: Americans, as a group,
are getting older…”

Your
antivirus product could
be spying on you without you having a clue. It might be intentional
but legitimate behavior, yet (malicious) intent is the one step
separating antivirus software from a cyber-espionage tool. A perfect
one, experts argue.

Because
we trust the antivirus to keep us safe from malware, we let it look
at all of our files, no questions asked. Regardless of whether
personal files or work documents, the antivirus has access to them
all, which allows it to work as needed.

… To
prove this and using the "Antivirus
Hacker's Handbook" (Joxean Koret) as base for an experiment,
he tampered with the virus signatures for Kaspersky Lab’s Internet
Security for macOS and modified one of the signatures to
automatically detect classified documents and mark them for
collection. By modifying signatures instead of the antivirus engine,
he didn’t alter the security application’s main purpose.

A Foreign
Navy Screwed Up Its New $3 Billion Nuclear Missile Sub By Leaving Its
Hatch Open

The modern submarine
is not a simple machine. A loss of propulsion, unexpected flooding,
or trouble with reactors or weapons can doom a sub crew to a watery
grave.

Also, it’s a good
idea to, like, close the hatches before you dive.

Call it a lesson
learned for the Indian navy, which managed to put the country’s
first nuclear-missile submarine, the $2.9 billion INS Arihant, out of
commission in the most boneheaded way possible.

The Hindu
reportedyesterday that the Arihant has been
out of commission since suffering “major damage” some 10 months
ago, due to what a navy source characterized as a “human error” —
to wit: allowing water to flood to sub’s propulsion compartment
after failing to secure one of the vessel’s external hatches.

As citizens get better as circumventing government
“shutdowns,” governments get better at closing the loopholes. A
case study for my Ethical Hacking students.

Iran tried
to block the internet to disrupt protests. It wound up disrupting
daily life

… Like other Iranians dependent on the web,
Nouri was at first set back when the Supreme National Security
Council restricted access to social media applications and servers
commonly used to bypass Iran's cloistered internet.

"We weren't able to communicate to our users
and we lost payments," Nouri said.

It took the 32-year-old three
days to find a different server to host his mobile app
design company, which employs 15 people, allowing him to again evade
government censors and get his business back up and running.

As authorities have tried to govern the internet,
Iranians have over the years become adept at circumventing online
censorship. But as more Iranians use the internet — and the
internet plays a bigger role in an increasingly web-connected society
— crackdowns have broader effects. For many, internet restrictions
in recent weeks disrupted daily life more than the protests did.

… As the latest protests spread, authorities
banned use of Telegram and Instagram, which had been used to mobilize
demonstrations. At one point, authorities completely cut off
internet access for 30 minutes, according to security experts.

Stern, Simon, Introduction: Artificial
Intelligence, Technology, and the Law (December 24, 2017). 68
University of Toronto Law Journal (2018). Available at SSRN:
https://ssrn.com/abstract=3092887

“This article introduces the essays on
“Artificial Intelligence, Technology, and the Law” in the issue
of the University of Toronto Law Journal based on a conference held
in February 2017. The article discusses the themes of each paper,
examining the challenges they raise and reflecting on their further
implications.”

A Louisiana school board is under fire after a
teacher
was forcibly removed from a board meeting after questioning the
superintendent's pay. Deyshia Hargrave was handcuffed and arrested
by a city marshal Monday night in Abbeville. The middle school
English teacher was booked on one count of resisting an officer and
one count of remaining on premises after being forbidden. She later
posted bond.

Superintendent Jerome Puyau is not commenting on
Hargrave's arrest, but is defending his raise, reports CBS News'
Vladimir Duthiers.

"It was time that we brought to the board a
salary that's commensurate with what superintendents are making,"
Puyau said.

Since 2012, Puyau has been making about $110,000
per year, according to two board members. With the new contract that
was approved Monday, he could earn $38,000 more. In 2016, the
average Louisiana teacher's salary was around $49,000.

The Vermilion Parish School board and the city
prosecutor say they are not moving forward with charges against
Hargrave, but many in the district still want to know why their
colleague, a former teacher of the year, was arrested in the first
place.

This definitely falls in the “we can, therefore
we must” category. All I can say is, “must we, really?”

Ikea Wants
You to Pee on This Ad. If You’re Pregnant, It Will Give You a
Discount on a Crib

Swedish agency Åkestam Holst, Adweek’s
International
Agency of the Year for 2017, has been killing it with the Ikea
work in recent years. And it starts out 2018 with a splash
(sorry) by creating a magazine ad that women are encouraged to pee
on.

Sounds a bit gross, and maybe it is—but there’s
a fun twist. If you’re pregnant, peeing on the ad reveals a
special discounted price on cribs, thanks to technology similar to
that in pregnancy-test kits.

… This is definitely the coolest pee-based
advertising since Animal Planet put urine-scented
ads at the bottom of lampposts to attract dogs (whose owners then
saw a larger ad at their own eye level promoting a dog award show).

Tuesday, January 09, 2018

The Centennial School District
on Friday announced a security breach within its student information
systems. District
officials do not currently believe any important student information
was taken, however the investigation is ongoing.

Two Centennial High School students — a
junior and senior, both under 18 — are responsible for data breach,
school district spokeswoman Carol Fenstermacher told Patch in an
email Friday. One of the students reportedly told authorities they
did it to “show that the system could be hacked,” Fenstermacher
said, but police are working to determine any specific or nefarious
intent.

The district’s IT staff reportedly
found the access points that were hacked by the students and has
secured them, Fenstermacher said. Law enforcement is determining the
full extent of the breach and figuring what, if anything, was taken.

Fenstermacher said the hackers were able to access
the names, birthdates, addresses, schools and grade levels, phone
numbers, student IDs, and demographic information of all current and
former Centennial School District students.

I tweeted about this breach disclosure earlier
today after Zack Whittaker called everyone’s attention to it, and I
am glad to see that Catalin has written the matter up:

In a data
breach notification letter submitted to the Office of the
Attorney General for the state of California, a makeup product vendor
said it could not fully assess the impact of a recent card security
breach due to a lack of backups.

[…] Beautyblender
started investigating the incident after two customers complained
about fraudulent transactions on credit cards used on the site.

[…] “Unfortunately, due to the lack
of backups of the website that were available from the website
hosting company, beautyblender has been unable to confirm the date
that the malware was placed on the website.”

An
application compiled just weeks ago was found to be an installer for
a Monero miner designed to send the mined currency to a North Korean
university, AlienVault reports.

The
application’s developers, however, might not be of North Korean
origins themselves, the security researchers say. They also suggest
that the tool could either be only an experimental application or
could attempt to trick researchers by connecting to Kim Il Sung
University in Pyongyang, North Korea.

… Discovered
by GulfTech security researcher James Bercegay, the security flaws
could be exploited to achieve remote root code execution on the
affected WD My Cloud personal cloud storage units (the device is
currently the best-selling NAS (network attached storage) device on
Amazon).

One
of the most important security issues the researcher found
was an unrestricted file upload vulnerability created by the “misuse
and misunderstanding of the PHP gethostbyaddr()
function,” the researcher says.

Perhaps you’re an office manager tasked with
setting up a new email system for your nonprofit, or maybe you’re a
legal secretary for a small firm and you’ve been asked to choose an
app for scanning sensitive documents: you might be wondering how you
can even begin to assess a tool as “safe enough to use.” This
post will help you think about how to approach the problem and select
the right vendor.

“Recent scandals about the role of social media
in key political events in the US, UK and other European countries
over the past couple of years have underscored the need to understand
the interactions between digital platforms, misleading information
and propaganda, and their influence on collective life in
democracies. In response to this, the Public
Data Lab and First
Draft collaborated last year to develop a free,
open-access guide to help students, journalists and
researchers investigate misleading and viral content, memes and
trolling practices online. Released today, the
five chapters of the guide describe a series of research
protocols or “recipes” that can be used to trace trolling
practices, the ways false viral news and memes circulate online, and
the commercial underpinnings of problematic content. Each recipe
provides an accessible overview of the key steps, methods, techniques
and datasets used. The
guide will be most useful to digitally savvy and social media
literate students, journalists and researchers. However, the recipes
range from easy formulae that can be executed without much technical
knowledge other than a working understanding of tools such as
BuzzSumo and the CrowdTangle browser extension, to ones that draw on
more advanced computational techniques. Where possible, we try to
offer the recipes in both variants…”

Samsung Electronics Co. spent more money on
capital expenditures last year than any other publicly traded
company, offering a dramatic example of how technology and telecom
firms have driven an uptick in global manufacturing investment.

The South Korean tech giant invested $44 billion
to build or expand new facilities making semiconductors, displays and
other products, according to S&P Global Market Intelligence
estimates.

… Both conservatives and progressives invoke
“consumer welfare” as antitrust’s core concern, but they offer
divergent interpretations of this concept. Guided by the late Robert
Bork’s seminal work, The Antitrust Paradox, conservatives
invoke a total welfare standard that regards efficiency-enhancing
mergers as presumptively legitimate, no matter how those gains are
allocated between consumers and producers. For their part,
progressives also focus on the consequences for consumers, but employ
a broader understanding of consumer welfare that encompasses quality,
innovation, and choice as well as price.

Recently, a third stance has entered the fray.
Populists regard the consumer welfare standard as inadequate, because
it pays no attention to the political dimension of antitrust — in
particular, to the connection between economic concentration and
corporate political power. Reflecting a tradition extending back a
century to the thought of Louis D. Brandeis, populists believe that a
multiplicity of businesses is preferable to a small number of large
firms — for the health of local communities as well as economic
sectors — even if consumers pay higher prices.

Monday, January 08, 2018

EFF
– “Across the country, private companies are deploying vehicles
mounted with automated
license plate readers (ALPRs) to drive up and down streets to
document the travel patterns of everyday drivers. These systems take
photos of every license plate they see, tag them with time and
location, and upload them to a central database. These companies—who
are essentially data brokers that scrape information from our
vehicles—sell this information to lenders, insurance companies, and
debt collectors. They also sell this information to law enforcement,
including U.S. Department of Homeland security, which recently
released its
updated policy for leveraging commercial ALPR data for
immigration enforcement. The Atlantic has called this collection of
our license plates “an
unprecedented threat to privacy.” This data, collected in
aggregate, can reveal intimate details about our lives, including
what doctors we visit, where we worship, where we take our kids to
school, and where we sleep at night. Companies marketing this data
claim that the technology can predict our movements and link us to
our associates based on which vehicles are often parked next to each
other…”

See also the Washington
Post – “Beijing bets on facial recognition in a big drive for
total surveillance… It will use facial recognition and artificial
intelligence to analyze and understand the mountain of incoming video
evidence; to track suspects, spot suspicious behaviors and even
predict crime; to coordinate the work of emergency services; and to
monitor the comings and goings of the country’s 1.4 billion people,
official documents and security
industry reports show.”

Governments don’t do technology very well.
Perhaps my students could create an Emergency App?

With 70 percent of all 911 calls made nationally
on cell phones, 2News wanted to know how well your location can be
tracked in a life-or-death situations.

… Apps like Pokemon-Go and Uber can track your
every move, because you have accepted the terms and conditions of
their operating system. Your acceptance gives your permission to be
tracked to your exact GPS location. Emergency dispatchers don't have
that luxury, and instead rely on cell towers from the major carriers
and what is called triangulation. If the triangulation system works,
the longer you are on the phone, the closer and closer the cell
towers can pinpoint your location as they relay information between
towers nearest to where your call was made.

It’s not the current level of sharing, it’s
the direction this is going. I’ve highlighted the hackable bits.

More and more companies are
trying to sell you cameras to put outside the house. Now one of them
is wondering: why not share their footage with neighbors, so more
people can monitor what’s going on?

That’s the idea behind
Streety, a new app from the security provider Vivint. People with
Vivint security systems will be able to share footage from their
outdoor cameras with neighbors, who will be able to tune into them
live and post messages for others. They can also place requests to
view recorded footage in case, say, they’re trying to figure out
who dinged their car a couple hours ago.

Vivint is only
activating the feature for outdoor cameras — not indoor
ones — and the sharing has
a range limit: 300 yards, or about one-sixth of a mile.
That isn’t very far, which could really restrict the feature’s
usefulness. In a denser neighborhood, that might cover a lot of
ground; but in a more spacious suburb, it might only cover a few
houses in any direction. That wouldn’t help if you’re hoping to
tap into a camera down the street to see what your kid is up to.

Gosh! What the coincidence. (As a Director, I
would like to know what is going on here.)

Four years after hijackers showed driver’s
licenses to board planes used in the 2001 terrorist attacks, Congress
passed the “Real ID” Act to force states to exert greater
oversight of the primary identification Americans use when they fly
domestically.

Now, after 13 years of delays and extensions, the
Trump administration has fixed a hard deadline of October for states
to comply. Under the law, all airline travelers must display a new,
technologically advanced license if they wish to board a plane. But
privacy advocates warn that the program, with its requirement of data
and photo sharing between states and the federal government, carries
with it some Orwellian implications.

The Department of Homeland Security has given the
23 states still operating under extensions until Oct. 10.

CRS report via FAS – Membership
of the 115th Congress: A Profile. Jennifer E. Manning, Senior
Research Librarian, January 3, 2018: “This report presents a
profile of the membership of the 115th Congress (2017-2018) as of
January 3, 2018. Statistical information is included on selected
characteristics of Members, including data on party affiliation,
average age, occupation, education, length of congressional service,
religious affiliation, gender, ethnicity, foreign births, and
military service. In the House of Representatives, there are 241
Republicans (including 1 Delegate and the Resident Commissioner of
Puerto Rico), 197 Democrats (including 4 Delegates), and 3 vacant
seats. The Senate has 51 Republicans, 47 Democrats, and 2
Independents, who both caucus with the Democrats.”

Military
Service Records, Awards, and Unit Histories: A Guide to Locating
Source

CRS report via FAS – Military
Service Records, Awards, and Unit Histories: A Guide to Locating
Sources. Nese F. DeBruyne, Senior Research Librarian; Barbara
Salazar Torreon, Senior Research Librarian. January 2, 2018. “This
guide provides information on locating military unit histories and
individual service records of discharged, retired, and deceased
military personnel. It also provides information on locating and
replacing military awards and medals. Included is contact
information for military history, websites for additional sources of
research, and a bibliography of other publications, including related
CRS reports.”

“Anywhere.link
is a one-click video conference solution. After signing up for an
Anywhere.link account, users can create a video conference. The
system provides a url to join the conference that can be sent to up
to six participants. Recipients of this link need only click it to
join the video conference – they will not need to create an
account, nor will they need to download or install any additional
software. Anywhere.link also supports screen sharing for
presentations, software demos, remote technical support, and so on.
It provides a ‘website widget’ that site owners can use to enable
one-click video calls from their home page. Anywhere.link’s free
tier allows five team members, each of whom can receive ten ‘website
widget’ calls per month and can create an unlimited number of video
conferences. Anywhere.link currently supports Google Chrome, Mozilla
Firefox, and Opera, with work ongoing to add support for other
browsers. Companion mobile phone apps for iOS and Android are
currently in beta.”

Sunday, January 07, 2018

Lancashire police officers are
researching an integration with the digital assistant that would
allow the force to send out
crime bulletins to residents, such as missing persons
reports, wanted suspects in the area, and the number of officers
currently on duty, according to a TechSpot report. The integration
could also be used for internal communications, such as to update
officers on daily crime logs or breaking incidents.

However, the most interesting potential
usage would directly involve residents, allowing
victims and witnesses to report crimes directly to the police via
their Amazon Echo—another example of how artificial
intelligence (AI) tools can potentially free up human workers like
police to do more complex work.

Did you know that police can compel you to provide
a DNA sample if they are booking you for (just) a misdemeanor?

I didn’t know, and was not happy to read about
it on FourthAmendment.com.
John Wesley Hall posts part of the opinion in U.S. v. Buller:

This court tends to agree with Justice
Scalia that the primary purpose of the DNA collection statute is
criminal investigation. As such, this court also agrees that the
Fourth Amendment should require a warrant or some level of suspicion
before the search of one’s DNA is allowed. However, until the King
decision is modified or repudiated, it remains the law of the land
and this court is bound to apply it. Because the analysis under King
and the rationale for the conclusion in King cannot be meaningfully
distinguished in the case of a misdemeanor arrestee, and because
there is no federal law decided in the five years since the King
decision was issued making such a distinction, the court concludes
that the collection of DNA from Mr. Buller is constitutional under
the Fourth Amendment.

Technology companies with unprecedented power to
sway consumers and move markets have done the unthinkable: They’ve
made trust-busting sound like a good idea again. [Yoicks!
Bob]

The concentration of wealth and influence among
tech giants has been building for years—90 percent of new online-ad
dollars went to either Google or Facebook in 2016; Amazon is by far
the largest online retailer, the third-largest streaming media
company, and largest cloud-computing provider. Silicon Valley titans
coasted to the top of the economy with little government oversight on
the backs of incredibly convenient products, a killer backstory,
shrewd lobbying, and our personal data. They were allowed to grow
unfettered in part because of a nearly-40-year-old interpretation of
US antitrust law that views anticompetitive behavior primarily
through the prism of the effect on consumers. In that light, the tech
industry’s cheap products and free services fell somewhere between
benign and benevolent.

Perspective. How would you find that
terrorist-related needle in this haystack?

WhatsApp, one of the world’s most-used messaging
services, hit a new milestone on New Year’s Eve: more than 75
billion messages sent by its users. The new record represents the
most messages sent in a single day in the chat app’s history, a
spokesperson told VentureBeat in an email. The previous record was
set in 2016, also on New Year’s Eve: 63
billion messages sent.

The 75 billion number included 13 billion images
and 5 billion videos, the Facebook-owned WhatsApp revealed.

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.